Apple today shipped Security Update 2008-003 (Mac OS X 10.5.3) with fixes for a wide range of serious vulnerabilities that could put users at risk of information disclosure, denial-of-service and remote code execution attacks.
The update (see Techmeme discussion) includes a fix for the iCal vulnerabilities that were publicly disclosed by Core Security last week. The iCal bugs could be exploited to crash iCal or execute arbitrary code via malicious calendar updates or by importing a specially crafted calendar file.
Core Security's warning mentions three separate vulnerabilities but Apple's update only includes a fix for a single bug:
A use-after-free issue exists in the iCal application's handling of iCalendar (usually ".ics") files. Opening a maliciously crafted iCalendar file in iCal may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by improving reference counting in the affected code. This issue does not affect systems prior to Mac OS X v10.5.
In all, Apple documents at least 41 vulnerabilities in this mega update. They include seven (7) different vulnerabilities in Apple's implementation of Apache, the most serious of which may lead to cross-site scripting attacks.
The Flash Player Plug-in also gets a makeover to correct seven (7) bugs could could lead to arbitrary code execution via booby-trapped Flash content. This update includes a fix for the flaw that's currently being exploited in drive-by malware attacks.
Code execution holes are also fixed in AppKit's processing of document files; Apple Pixlet Video's handling of files using the Pixlet codec; Apple Type Services server's handling of embedded fonts in PDF filesp; CoreFoundation's handling of CFData objects; and CoreGraphics' handling of PDF files.
The Mac OS X Leopard patch also fixes flaws in CoreTypes, CUPS, Help Viewer, International Components for Unicode, Image Capture, ImageIO, Kernel, LoginWindow, Mail, ruby, Single Sign-On and Wiki Server.